Basic Propositional Linear Temporal Logic

2.4 Completeness

and the Dummett formula

2(2(A→2A)→A)→(32A→2A)

to the axioms of S4. These additional axioms forceto be linear and discrete, respectively.

This logic is “very close” to LTL: a formulaAis derivable in the resulting formal system if and only ifAis valid in all Kripke structures({ηi}i∈N,≤). However, formulas of S4.3Dum do not contain the “nexttime” operator, and in particular it is impossible to formulate an induction rule in that logic.

to prove thatAimpliesAor, equivalently, thatAis not valid whenever it is not derivable. SinceA ∼= ¬¬A, we may assume without loss of generality thatA is of the form¬B, and we will show thatAis satisfiable (by constructing a suitable temporal structure) whenever¬Acannot be derived inΣ_LTL.

Let us begin with introducing some notation. A positive-negative pair (shortly:

PNP) is a pairP = (F⁺,F⁻)of two finite setsF⁺andF⁻of formulas. We denote the setF⁺∪F⁻byF_P. Furthermore, we will sometimes denoteF⁺bypos(P)and F⁻byneg(P). Finally, the formulaPwill be the abbreviation

P ≡

A∈F⁺

A ∧

B∈F⁻

¬B

where empty conjunctions are identified with the formula true. PNPs will be used to represent (possibly incomplete) information about the temporal structure under construction; the intuition is that the formulas inF⁺should be true and those inF⁻ should be false at the current state.

A PNP P is called inconsistent if¬P. Otherwise,P is called consistent.

Lemma 2.4.1. Let P = (F⁺,F⁻)be a consistent PNP andAa formula.

a)F⁺andF⁻are disjoint.

b)(F⁺∪ {A},F⁻)or(F⁺,F⁻∪ {A})is a consistent PNP.

Proof. a) Assume thatF⁺andF⁻are not disjoint and pick someA∈ F⁺∩ F⁻. ThenPis of the form . . .∧A∧. . .∧¬A∧. . . which implies that¬Pis tautologically valid. So ¬P, which means that P is inconsistent and a contradiction is reached.

Hence,F⁺andF⁻must be disjoint.

b) IfA ∈ F⁺ orA ∈ F⁻ then we have(F⁺ ∪ {A},F⁻) = (F⁺,F⁻)or (F⁺,F⁻ ∪ {A}) = (F⁺,F⁻), respectively, and the assertion follows by the as- sumed consistency of(F⁺,F⁻). Otherwise, assuming both pairs under considera- tion are inconsistent implies ¬(P ∧ A)and ¬(P ∧ ¬A). With (prop) we obtain

¬P, which again contradicts the consistency ofP. Hence, (at least) one of the pairs

must be consistent.

Lemma 2.4.2. Let P = (F⁺,F⁻)be a consistent PNP andAandBformulas.

a) false∈ F/ ⁺.

b) IfA,B,A→B∈ F_P thenA→B∈ F⁺ ⇔ A∈ F⁻orB∈ F⁺. c) If A→B,A∈ F⁺,B∈ FP thenB ∈ F⁺.

Proof. a) Assume false∈ F⁺. Then P → false by (taut) which is just¬P, and a contradiction is reached. This proves false∈ F/ ⁺.

b) Assume thatA→B∈ F⁺butA∈ F/ ⁻andB ∈ F/ ⁺. SinceA,B∈ F_P we getA∈ F⁺andB∈ F⁻. Then P → (A→B)∧A∧ ¬Band this yields ¬P with (prop) which is a contradiction. HenceA∈ F⁻orB∈ F⁺. On the other hand, assume thatA∈ F⁻orB ∈ F⁺. IfA→B ∈ F/ ⁺we must haveA→B ∈ F⁻, and we get P → ¬(A →B)∧ ¬Aor P → ¬(A →B)∧B. In both cases we again obtain the contradiction ¬P; hence A→B∈ F⁺.

c) Assume thatB∈ F/ ⁺. ThenB∈ F⁻because ofB∈ FP, and withA∈ F⁺ we get P → A∧ ¬B, and furthermore ¬Pwith A→Band (prop). This is in contradiction to the consistency ofP; henceB ∈ F⁺. LetF be a formula. WithF we associate a set τ(F)of formulas, inductively defined as follows:

1. τ(v) ={v} forv∈V.

2. τ(false) ={false}.

3. τ(A→B) ={A→B} ∪τ(A)∪τ(B).

4. τ(eA) ={ eA}.

5. τ(2A) ={2A} ∪τ(A).

Informally,τ(F)is the set of “subformulas” ofF where, however, formulas eAare treated as “indivisible”. For a setFof formulas we let

τ(F) ={A|A∈τ(F),F ∈ F}.

Obviously,τ(τ(F)) = τ(F) andτ(F_P)is finite for every PNP P (sinceF_P is finite). We call a PNPP complete ifτ(F_P) =F_P.

Lemma 2.4.3. Let P be a consistent PNP. There is a consistent and complete PNP P^∗withpos(P)⊆pos(P^∗)andneg(P)⊆neg(P^∗).

Proof. Starting fromP,P^∗is constructed by successively addingAtopos(P)or to neg(P)for everyA∈τ(FP)depending on which of these extensions is consistent.

By Lemma 2.4.1 b) this is always possible and it evidently yields some consistent

and complete PNPP^∗.

Given a consistent PNPP, we call any PNPP^∗that satisfies the conditions of Lemma 2.4.3 a completion ofP. In general, different completions of a givenPare possible, but obviously only finitely many.

Lemma 2.4.4. Let P1^∗, . . . ,Pn^∗be all different completions of a consistent PNP P. Then P → P₁^∗∨. . .∨P_n^∗.

Proof. We first prove an auxiliary assertion: letFbe some finite set of formulas and letQ1, . . . ,Qm be all the different PNPQwithF_Q=τ(F)and such thatpos(Q) andneg(Q)are disjoint. Becauseτ(F_Q) =τ(τ(F)) = τ(F) =F_Qholds for any suchQ, allQ1, . . . ,Qm are complete and we show by induction on the number of formulas inτ(F)that

(∗)

m i=1

Qi.

Ifτ(F) = ∅then m = 1,Q1 = (∅,∅), andQ1 ≡ true, so (∗) holds by (taut).

Assume now thatτ(F) = {A1, . . . ,Ak} for somek ≥ 1. Clearly there must be somej (where 1 ≤ j ≤ k) such that Aj ∈/ τ({A1, . . . ,Aj−1,Aj+1, . . . ,Ak}), i.e.,Aj is a “most complex” formula inτ(F); letF=τ(F)\ {Aj}. In particular, it follows thatτ(F) =F. LetQ1, . . . ,Q_lbe all PNP constructed forFas described.

Thenm = 2land the PNPQ1, . . . ,Qmare obtained fromQ1, . . . ,Q_l as follows:

Q1= (pos(Q1)∪ {A_j},neg(Q1)), ...

Ql = (pos(Q_l)∪ {Aj},neg(Q_l)), Ql+1= (pos(Q₁),neg(Q₁)∪ {Aj}),

...

Qm = (pos(Q_l),neg(Q_l)∪ {Aj}).

By the induction hypothesis we have l

i=1Q_i which yields

l i=1

(Q_i∧Aj) ∨ l i=1

(Q_i∧ ¬Aj), i.e., (∗) by (prop).

Let nowPbe a consistent PNP, and letP₁, . . . ,P_m be all different PNPPwith F_P = τ(F_P)and such that pos(P) andneg(P)are disjoint. The completions P₁^∗, . . . ,P_n^∗are just thoseP_iwhich are consistent and for whichpos(P)⊆pos(P_i) andneg(P)⊆neg(P_i). Without loss of generality, we may suppose that these are P1, . . . ,Pn, which means that fori>n,

(i) Piis inconsistent or

(ii) pos(P)⊆pos(P_i) or neg(P)⊆neg(P_i).

We obtain ¬Pi in case (i) andpos(P)∩neg(P_i)=∅orneg(P)∩pos(P_i)=∅ and therefore ¬(P ∧ P_i)by (taut) in case (ii). In either case, we may conclude P → ¬ P_i with (prop), and this holds for every i > n. With (∗) we obtain m

i=1P_i and with (prop) we then get P → n

i=1P_i which is just the desired

assertion.

The informal meaning of a completionP^∗of a consistent PNPP is that those subformulas of formulas appearing inF_P that should be true or false in some state are collected inpos(P^∗)andneg(P^∗), respectively, ensuring that all formulas of pos(P)are true and all formulas ofneg(P)false in that state. Let us illustrate this idea with a little example. SupposeA≡(v1→v2)→2v3,B ≡v3 → ev2(with v₁,v₂,v₃∈V), andP = ({A},{B}). One possible completion ofPis

P^∗= ({A,v1→v2,2v3,v2,v3},{B,v1, ev2}).

If all the (proper) parts ofAandBinpos(P^∗)evaluate tottand those inneg(P^∗) toff then A becomes tt and B becomes ff and, moreover, such a valuation is in fact possible because of the consistency of P^∗. However, some of this information focussed on one state may also have implications for other states. In our example, 2v₃becomes true in a state only ifv₃is true in that state which is already noted by

v₃belonging topos(P^∗)andv₃is also true in every future state or, equivalently,2v₃ is true in the next state. To make ev₂false requiresv₂ to be false in the next state.

The “transfer” of such information from one state to the next is the purpose of our next construction.

For a PNPP = (F⁺,F⁻)we define the following four sets of formulas σ1(P) ={A| eA∈ F⁺},

σ2(P) ={2A|2A∈ F⁺}, σ3(P) ={A| eA∈ F⁻},

σ4(P) ={2A|2A∈ F⁻andA∈ F⁺} and the PNP

σ(P) =

σ1(P)∪σ2(P), σ3(P)∪σ4(P) . For the example above we have

σ(P^∗) = ({2v₃},{v₂})

comprehending the information about what has to become true or false in the next state to “fulfill”P^∗in the way described above.

Lemma 2.4.5. LetP be a PNP.

a)P → eσ(P).

b) IfP is consistent thenσ(P)is consistent.

Proof. a) We show that P → eCifC ∈σ1(P)∪σ2(P)and that P → e¬C ifC ∈σ3(P)∪σ4(P). The assertion a) then follows immediately with (prop) and (T15’), which was formally derived in the previous section. We distinguish the four cases ofC ∈σi,i= 1, . . . ,4:

1. IfC ∈σ1(P)then eC ∈pos(P)and therefore P → eC by (prop).

2. IfC ≡2A∈σ₂(P)then2A∈pos(P)and therefore P → 2Aby (prop), from which we get P → e2Awith (ltl3) and (prop).

3. IfC ∈σ3(P)then eC ∈neg(P)and therefore P → ¬ eC by (prop) from which we get P → e¬Cwith (ltl1) and (prop).

4. If C ≡ 2A ∈ σ4(P) then2A ∈ neg(P) and A ∈ pos(P)and therefore P → A∧ ¬2Aby (prop) from which we get P → ¬ e2Awith (ltl3’) and (prop) and finally P → e¬2Awith (ltl1) and (prop).

b) Assume thatσ(P)is inconsistent, i.e., ¬σ(P). Using (nex) it follows that e¬σ(P); hence also ¬eσ(P)with (ltl1) and (prop). Together with a) we infer ¬Pby (prop), implying thatPwould be inconsistent.

According to our explanation of the proof idea above, in order to satisfy the formulas ofpos(P)and falsify those ofneg(P)of a given consistent PNP P, re- spectively, in a state, the infinite sequence

P^∗, σ(P^∗)^∗, σ(σ(P^∗)^∗)^∗, . . .

should now carry the complete information about how the parts of those formulas should evaluate in that state and all subsequent ones. There is, however, one remain- ing problem: for some elementPi of this sequence there could be2A ∈neg(Pi) which means thatAshould become false in the corresponding state or in a subse- quent state. But, either forced by the consistency constraint or just by having chosen a “bad” completion,A∈pos(Pj)could hold for all elementsPj,j ≥i, of the se- quence. In order to overcome this last difficulty we consider all possible completions in every step “from one state to the next”.

Formally, letPbe a consistent and complete PNP. We define an infinite treeK_P:

• The root ofKP isP.

• IfQis a node ofKP then the successor nodes ofQare all different completions ofσ(Q).

According to our remarks and results above, every node ofKP is a consistent and complete PNP. IfQis a node then the subtree ofKP with rootQis justKQ. Lemma 2.4.6. LetP be a consistent and complete PNP.

a)KP has only finitely many different nodesQ1, . . . ,Qn. b) ⁿ

i=1

Qi → eⁿ

i=1

Qi.

Proof. a) From the definitions of theσandτoperations it follows immediately that all formulas that occur in some node ofK_P are subformulas of the formulas con- tained inF_P, of which there are only finitely many. This implies that there can be only finitely many different nodes inK_P.

b) Lemma 2.4.5 a) shows that we have Qi→ eσ(Qi)for everyi= 1, . . . ,n. LetQi1, . . . ,Qim be all different completions ofσ(Qi); then Lemma 2.4.4 proves σ(Qi) → m

j=1Q_ij. The definition ofK_P impliesQ_ij ∈ {Q1, . . . ,Qn}; hence Q_ij → _n

k=1Qk, for everyj = 1, . . . ,m. So we get σ(Qi) → _n

k=1Qk

with (prop); furthermore eσ(Qi)→ e_n

k=1Qkwith (nex) and (ltl2) and hence Qi → e_n

k=1Qk fori = 1, . . . ,n. From this, assertion b) follows with (prop).

A finite path (fromP1toPk) inKP is a sequenceP1, . . . ,Pkof nodes such that Pi+1is a successor node ofPifor everyi = 1, . . . ,k−1. An infinite path is defined analogously.

Lemma 2.4.7. LetP be a consistent and complete PNP,P0,P1,P2, . . .an infinite path inKP,i∈N, andAa formula.

a) If eA∈ FPithen: eA∈pos(Pi) ⇔ A∈pos(Pi+1).

b)2A∈pos(Pi) ⇒ A∈pos(Pj) for everyj ≥i.

Proof. a) Assume that eA ∈ FPi. If eA∈ pos(Pi)thenA ∈pos(σ(Pi)); hence A∈pos(Pi+1). If eA∈/pos(Pi)then eA∈neg(Pi); henceA∈neg(σ(Pi)), and thereforeA∈neg(Pi+1)andA∈/pos(Pi+1)with Lemma 2.4.1 a).

b) Assume that2A∈pos(Pi). ThenA ∈ FPi because ofA∈τ(2A)and the completeness ofPi. We getA ∈ pos(Pi)with Lemma 2.4.2 c) and 2A → A, which follows from (ltl3). Moreover,2A ∈pos(σ(Pi)); hence2A ∈pos(Pi+1).

By induction we may conclude thatA∈pos(Pj)for everyj ≥i.

An infinite path inKP is just a sequence of PNPs as in our informal explanation above. However, as explained there, we have to find such a path where every (“nega- tive”) occurrence of some formula2Ain someneg(Pi)is eventually followed by a negative occurrence ofA. Formally, let us call an infinite pathP0,P1,P2, . . .inKP

complete ifP0=P and the following condition holds for everyi∈N:

If 2A∈neg(Pi)thenA∈neg(Pj)for somej≥i.

Lemma 2.4.7 and this definition will be seen to ensure the existence of a tempo- ral structure satisfyingP. It remains to guarantee that a complete path really exists wheneverPis consistent and complete.

Lemma 2.4.8. LetP be a consistent and complete PNP. There is a complete path in K_P.

Proof. We first show:

(∗) IfQis some node ofKPandAis some formula such that2A∈neg(Q)then there is a nodeQofKQsuch thatA∈neg(Q).

Assume thatA ∈/ neg(Q)for every nodeQ ofKQ. Because ofA ∈ τ(2A)we then haveA∈pos(Q)and therefore2A∈neg(Q)for all successor nodesQofQ according to the constructionσ. Continuing inductively, we find that2A∈neg(Q), A∈pos(Q), and hence Q →Afor every nodeQ ofKQ. LetQ1, . . . ,Qn be all nodes ofKQ. Then _n

i=1Qi →A. Furthermore, by Lemma 2.4.6 b) we have _n

i=1Q_i → e_n

i=1Q_i; so with (ind) we obtain _n

i=1Q_i →2A. Because of Q ∈ {Q₁, . . . ,Qn}we also have Q → n

i=1Q_iand so we get Q → 2Aby (prop). Because of2A∈neg(Q), i.e., Q → ¬2 A, this implies ¬Q by (prop) which means thatQis inconsistent. This is a contradiction; thus (∗) is proved.

From Lemma 2.4.6 a) we know that K_P contains only finitely many different nodes. Sinceneg(Q)is a finite set of formulas for every nodeQ, there can only be finitely many formulasAsuch that2A∈neg(Q)for some nodeQofK_P. Choose some fixed enumerationA0, . . . ,Am−1of all such formulas. In order to construct a complete path inK_P we now define a successionπ0, π1, . . .of finite and non-empty paths inK_Psuch thatπi is a proper prefix ofπi+1:

• Letπ0=Pconsist only of the rootPofKP.

• Inductively, assume that π_i = Q0,Q1, . . . ,Qk has already been defined. We distinguish two cases: if2A_imodm ∈/ neg(Qk)orA_imodm ∈neg(Qk)then π_i+1 is obtained fromπ_i by appending some successor nodeQ ofQk inKP. (Lemmas 2.4.5 and 2.4.3 imply thatQkhas at least one successor node.) If2Aimodm ∈neg(Qk)andA_imodm ∈/ neg(Qk)then, by (∗),K_Qk contains some nodeQ such thatAimodm ∈ neg(Q). Choose such aQ (which must obviously be different fromQk), and letπi+1be obtained by appending the path fromQktoQto the pathπi.

The succession π0, π1, . . . uniquely determines an infinite path π = Q0,Q1, . . . withQ0 = P inK_P. To see that πis complete, assume that2A ∈ neg(Qi)for somei but thatA ∈/ neg(Qi) for all i ≥ i. As in the proof of (∗), it follows that 2A ∈ neg(Qi)for everyi ≥ i. The formula Aoccurs in the enumeration of all formulas of this kind fixed above, say, asAl. Now choosej ∈ Nsuch that π_j·m+l =Q0, . . . ,Qk wherek ≥i; in particular it follows that2A_l ∈ neg(Qk).

But the construction ofπ_i+1 ensures thatπ_i+1, which is a finite prefix of π, ends with some nodeQsuch thatA≡A_l ∈neg(Q), and a contradiction is reached. We have thus found a complete pathπ=Q0,Q1, . . .inKP. Now we have in fact all means for proving a theorem which is a rather trivial transcription of the desired completeness result.

Theorem 2.4.9 (Satisfiability Theorem forΣLTL). For every consistent PNPP, the formulaPis satisfiable.

Proof. LetP be a consistent PNP,P^∗ be a completion ofP, andP0,P1,P2, . . .a complete path inKP^∗ according to Lemma 2.4.8. We define a temporal structure K= (η₀, η₁, η₂, . . .)by:

ηi(v) =tt ⇔ v ∈pos(Pi) for everyv∈V,i ∈N.

We will prove below that for every formulaFand everyi∈N:

(∗) IfF ∈ F_Pi then: Ki(F) =tt ⇔ F ∈pos(Pi).

Before we prove this, let us show that (∗) implies the satisfiability ofP: because of pos(P)⊆pos(P0),neg(P)⊆neg(P0), andpos(P0)∩neg(P0) =∅we get

K₀(P) =K₀

A∈pos(P)

A ∧

B∈neg(P)

¬B

=tt

from (∗). In particular,Pis satisfiable.

The proof of (∗) runs by structural induction on the formulaF.

1. F ≡v∈V: Ki(v) =ηi(v) =tt ⇔ v ∈pos(Pi) by definition.

2. F ≡false: We haveKi(false) =ffand false∈/ pos(Pi)by Lemma 2.4.2 a) and this implies (∗).

3. F ≡A→B: IfA→B ∈ FPithen alsoA∈ FPi andB∈ FPi becausePi is a complete PNP, and therefore:

Ki(A→B) =tt ⇔ Ki(A) =fforKi(B) =tt

⇔ A∈/ pos(Pi)orB∈pos(Pi) (ind.hyp.)

⇔ A∈neg(Pi)orB∈pos(Pi) (sinceA∈ FPi)

⇔ A→B∈pos(Pi) (by Lemma 2.4.2 b).

4. F ≡ eA: From eA∈ F_Piwe obtainA∈ F_Pi+1and therefore:

Ki(eA) =tt ⇔ Ki+1(A) =tt

⇔ A∈pos(Pi+1) (ind.hyp.)

⇔ eA∈pos(Pi) (by Lemma 2.4.7 a).

5. F ≡ 2A: If2A ∈ pos(Pi)it follows thatA ∈ pos(Pj)for everyj ≥ i by Lemma 2.4.7 b) and we getA∈ FPj and thereforeKj(A) =ttfor everyj ≥i by the induction hypothesis; henceKi(2A) =tt.

Assume, on the other hand, that 2A ∈ FPi and2A ∈/ pos(Pi). Therefore 2A∈neg(Pi), and the definition of a complete path and Lemma 2.4.1 a) ensure A ∈ neg(Pj)and thusA ∈/ pos(Pj)andA ∈ FPj for some j ≥ i. By the induction hypothesis we getK_j(A) =fffor thisj, which impliesK_i(2A)=tt.

Before we finally deduce our main result from this theorem we still mention that a close look at its proof provides another interesting corollary called finite model property (of LTL):

• Every satisfiable formula is satisfiable by a temporal structure which has only finitely many different states.

To see this fact, assume that a formulaAis satisfiable. From the definition it follows immediately that¬¬Ais satisfiable; hence¬Ais not valid by Theorem 2.1.9 and not derivable inΣLTLby Theorem 2.3.1. So, by definition, the PNP({A},∅)is consis- tent and thereforeAis satisfiable by a temporal structureKaccording to (the proof of) Theorem 2.4.9. By construction and Lemma 2.4.6 a),Khas only finitely many different states.

Theorem 2.4.10 (Weak Completeness Theorem forΣLTL).Σ_LTLis weakly com- plete, i.e., for every finite setFof formulas and formulaA, if F A then F A.

In particular: if Athen A.

Proof. We prove the claim first forF = ∅: if A then¬Ais not satisfiable by Theorem 2.1.9 and hence the PNP(∅,{A})is inconsistent by Theorem 2.4.9. This means ¬¬Aby definition and implies Ausing (prop).

Let nowF={A₁, . . . ,A_n} =∅. We then have

FA ⇒ A1. . .An−1 2An →A (Theorem 2.1.6) ...

⇒ 2A1→(2A2→. . .→(2An →A). . .) (Theorem 2.1.6)

⇒ 2A1→(2A2→. . .→(2An →A). . .) (proved above)

⇒ A12A2→(2A3→. . .→(2An →A). . .) (Theorem 2.3.4) ...

⇒ F A (Theorem 2.3.4).

Let us summarize. We now know from the Soundness and the Weak Complete- ness Theorems that

FA ⇔ F A for finiteF, in particular that

A ⇔ A.

This also means that we can view all logical laws (T1)–(T38) considered in Sect. 2.2 as derivable. For example, the law (T31) can be considered as the derived rule

A→B 3A→3B.

We will take advantage of this and freely use the laws in subsequent derivations.

Example. 2A → 3B,B → eC 2A → e23C can be derived using (T12), (T13), (T31), and (T35) as follows:

(1) 2A→3B assumption

(2) B→ eC assumption

(3) 3B →3eC (T31),(2)

(4) 3B → e3C (T13),(prop),(3)

(5) 2A→ e3C (prop),(1),(4)

(6) 2A→2 e3C (T35),(5)

(7) 2A→ e23C (T12),(prop),(6)

As another example, we derive the rule (chain) A→3B,B→3C A→3C which will be needed later.

Derivation of (chain).

(1) A→3B assumption

(2) B→3C assumption

(3) 3B →3C (T36),(2)

(4) A→3C (prop),(1),(3)

At the beginning of this section we argued that the non-derivability of F A→2B

forF ={A→ eⁱB |i ∈N}(eⁱ denotes the sequence e. . . eofi subsequently applied e-operators) shows that there is no sound formal system which is complete in the full sense. Another view of this situation together with the proven weak com- pleteness is given by the fact that full completeness could be achieved by weakening the concept of formal systems: a semi-formal system is like a formal system but may containω-rules, i.e., rules of the form

A1,A2,A3, . . .B

with an infinite sequenceA1,A2,A3, . . .of premises.

We conclude this section with the remark that the semi-formal system which results fromΣLTLby replacing the induction rule (ind) by theω-rule

(ω-ind) A→ eⁱB, i∈N A→2B

is indeed (sound and) complete in the full sense that FA ⇒ F A

then holds for arbitraryFandA.

Of course, a derivation in a semi-formal system is no longer a purely “mechan- ical” process. In order to apply an ω-rule the derivation of their infinitely many premises needs some argument “outside” the system, typically an inductive one. For example, a derivation of (ind) with (ω-ind) is given as follows:

(1) A→B assumption

(2) A→ eA assumption

(3) A→ eⁱB for alli∈N from (1) and (2) by induction oni

(4) A→2B (ω-ind),(3)

Line (3) is achieved by the fact that fori= 0it is just the assumption (1) and with

(3a) A→ eⁱB induction hypothesis

(3b) e(A→ eⁱB) (nex),(3a)

(3c) eA→ eⁱ⁺¹B (mp),(ltl2),(3b)

(3d) A→ eⁱ⁺¹B (prop),(2),(3c)

we obtain the necessary induction step.